Electronic discovery (or e-discovery, eDiscovery) deals with the exchange of information in electronic format (often referred to as Electronically Stored Information or ESI). Usually (but not always) a digital forensics analysis is performed to recover types of evidence. A wider group of people are involved in eDiscovery from forensic investigators, attorneys and IT personnel.

Examples of eDiscovery items include e-mails, digital photographs, ATM transaction logs, word processing documents, instant message histories, files saved from accounting programs, spreadsheets, internet browser histories, databases, the contents of computer memory, computer backups, computer printouts, Global Positioning System tracks, logs from a hotel’s electronic door locks, and digital video or audio files.

Items that should be considered for eDiscovery include:

– E-mail servers
– File and print servers
– Desktops and onsite laptops
– Field laptops
– Home computers
– Some Copy Machines
– Personal Digital Assistants (PDAs)
– Enterprise Document Management or Records Management repositories
– Shared directories
– Backup tapes
– Disks
– CD-ROMs
– DVD-ROMs
– Cell phones
– Flash memory cards such as “thumb drives”
– MP3 players (modern players support storing data)
– iPods
– Voice over IP phone systems
– Instant Messaging
– Online transactions and databases

How much volume in paper printouts can eDiscovery produce?
Although the exact count in not known, the table below gives you an example of what to expect:

Boxes of PaperTotal PagesElectronic Equivalent
12,50050 Megabytes
1025,000500 Megabytes
2050,0001 Gigabtye
200500,00010 Gigabytes

With PM Investigations we can help your organization or case by collecting the information in accordance to Federal Rules of Evidence standards. When you decide it’s time to engage a course of eDiscovery at your place of employment, it may be too late. With PM Investigations, you’ll get years of experience to help facilitate a program to help protect you from the start of the case through the end.

The following outlines the three main types of data and their characteristics:

Active: Easiest to get, least costly.

Documents that “actively” reside on the custodian’s computer hard drive or other storage device. Active documents are generally those that you can see in a file manager or explorer type of tool. Examples include e-mail and standard office documents like word processing and spreadsheets.

Active files are generally easy to access and collect. Challenges include dealing with large volumes of data and preserving file date information. Most requests for production ask for active files.

Archival: Requires restoration, costs vary on volume and backup

Documents and files stored, often in a compressed format, on off-line devices, including backup tapes or disks, floppies, and optical media. Archived documents are harder and more expensive to retrieve than active documents because they often require restoration, have complex file structures or are on media that can’t be accessed at high speeds. Challenges include dealing with old backup formats or tapes that are not cataloged.

Forensic: Most expensive, requires special tools

Documents and files that are hidden or have been erased, fragmented, or damaged, and that can reside on either on-line or off-line storage devices. Forensic collection provides the most detail and is the only approach for retrieving deleted or fragmented files; however it requires an expert to operate special tools and is time consuming. Collect forensically when you need maximum preservation protection, such as when you are responding to a specific event like a wrongful termination law suit. Often, the only way to collect data from a PDA is forensically. Due to cost and/or exposure, opposing counsel is usually not willing to provide forensically collected data, but as with archival data, will need to document this burden in the FRCP 26(f) meet and confer conference. Typically, the requesting party will be required to bear the cost of forensic collection.

Legacy: Tools may no longer be available; may need experts

Documents or files contained in very old systems that are no longer in use, but may have been mothballed and still can be turned on. Many systems from prior to Y2K fall into this category. Also data on extremely old media where equipment is no longer common to read them.

When is a good time to engage PM Investigations for an eDiscovery situation?
Consider this example. You’re getting prepared to terminate a key employee and that key employee has been telling other employees that if you do, that employee with file an EEOC complaint. So you do the next best thing and contact your company attorney by sending an e-mail. What you may not know is, and you’ll learn of this at trial or a specially set hearing, that from the day you decided that employee should be released from employment, you should of started a preservation of data on all of the data related to that key employee (see Zubulake vs. Warburg, LLC, No 02 Cir. 1243, 2003 WL21087884, May 2003). If your company doesn’t have something in place before you terminate, you may find the cost to perform this task exceedingly higher than if you started collecting in the very beginning.

What types of cases can eDiscovery help with?
From breech of contract, intellectual property litigation, trade secret violations, martial disputes, and employment lawsuits to name a few.

Can eDiscovery be used by both parties in the law suit?
Yes. In several ways the data can be useful to closing cases or preparing cases for trial where mediation has failed.

Isn’t using a computer forensic specialist the same as using an eDiscovery investigator?
No. Computer forensic specialists use computer forensic tools that are much different than tools used for eDiscovery. Computer forensic specialists are trained to look for hidden or lost ESI, reconstruct the time line of events, interpret the meaning of the evidence, and authenticate when the ESI was created and by whom.